Bug#933636: stretch-pu: package pdfresurrect/0.12-6

Francois Marier Thu, 01 Aug 2019 01:57:59 -0700

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu


I'd like to fix a buffer overflow in the pdfresurrect version that's in
stretch.

See https://security-tracker.debian.org/tracker/CVE-2019-14267.

Attached is the debdiff.

Francois

diff -Nru pdfresurrect-0.12/debian/changelog pdfresurrect-0.12/debian/changelog
--- pdfresurrect-0.12/debian/changelog	2015-09-13 18:30:02.000000000 -0700
+++ pdfresurrect-0.12/debian/changelog	2019-07-30 08:54:01.000000000 -0700
@@ -1,3 +1,9 @@
+pdfresurrect (0.12-6+deb9u1) stretch; urgency=high
+
+  * Fix buffer overflow (CVE-2019-14267).
+
+ -- Francois Marier <franc...@debian.org>  Tue, 30 Jul 2019 08:54:01 -0700
+
 pdfresurrect (0.12-6) unstable; urgency=medium
 
   * Run wrap-and-sort
diff -Nru pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch
--- pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch	1969-12-31 16:00:00.000000000 -0800
+++ pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch	2019-07-30 08:54:01.000000000 -0700
@@ -0,0 +1,47 @@
+commit 4ea7a6f4f51d0440da651d099247e2273f811dbc
+Author: Matt Davis <mattdav...@gmail.com>
+Date:   Thu Jul 25 20:30:04 2019 -0700
+Last-Update: 2019-07-30
+
+    Prevent a buffer overflow in possibly corrupt PDFs.
+    
+    The startxref identification logic assumed a worse case of having to
+    inspect 256 bytes.  However, that is not always the case (e.g.,
+    corrupted PDFs).  This patch prevents that situation.
+    
+    This bug was identified by j0lamma.  Thanks!
+
+    CVE-2019-14267
+
+diff --git a/main.c b/main.c
+index d274acc..18ba696 100644
+--- a/main.c
++++ b/main.c
+@@ -230,7 +230,10 @@ static pdf_t *init_pdf(FILE *fp, const char *name)
+ 
+     pdf = pdf_new(name);
+     pdf_get_version(fp, pdf);
+-    pdf_load_xrefs(fp, pdf);
++    if (pdf_load_xrefs(fp, pdf) == -1) {
++      pdf_delete(pdf);
++      return NULL;
++    }
+     pdf_load_pages_kids(fp, pdf);
+ 
+     return pdf;
+diff --git a/pdf.c b/pdf.c
+index 27b09a1..b671537 100644
+--- a/pdf.c
++++ b/pdf.c
+@@ -210,6 +210,11 @@ int pdf_load_xrefs(FILE *fp, pdf_t *pdf)
+           fseek(fp, pos - (++pos_count), SEEK_SET);
+         
+         /* Suck in end of "startxref" to start of %%EOF */
++        if (pos_count >= sizeof(buf)) {
++          ERR("Failed to locate the startxref token. "
++              "This might be a corrupt PDF.\n");
++          return -1;
++        }
+         memset(buf, 0, sizeof(buf));
+         fread(buf, 1, pos_count, fp);
+         c = buf;
diff -Nru pdfresurrect-0.12/debian/patches/series pdfresurrect-0.12/debian/patches/series
--- pdfresurrect-0.12/debian/patches/series	2015-09-13 18:30:02.000000000 -0700
+++ pdfresurrect-0.12/debian/patches/series	2019-07-30 08:54:01.000000000 -0700
@@ -1 +1,2 @@
 fix_manpage_path.patch
+CVE-2019-14267.patch

Bug#933636: stretch-pu: package pdfresurrect/0.12-6

Reply via email to